Language Selection

English French German Italian Portuguese Spanish

Visa to Bar Transactions by Processor

Filed under
Security

Visa USA said yesterday that it would stop allowing the payment processor CardSystems Solutions to handle its transactions, months after the processor left the records of millions of cardholders at risk for fraud.

"CardSystems has not corrected, and cannot at this point correct, the failure to provide proper data security for those accounts," said Tim Murphy, Visa's senior vice president for operations in a memorandum sent to several banks. "Visa USA has decided that CardSystems should not continue to participate as an agent in the Visa system."

Cardholders and merchants should not be affected by the change.

Visa said its decision to remove CardSystems came after a review and an independent investigation found that the payment processor had improperly stored cardholder data and did not have the proper controls in place.

It is unclear if MasterCard and American Express will take similar action, but with Visa accounting for more than half of all card transactions, the move raises questions about the future of CardSystems.

"I've never heard of them booting off a processor," said Avivah Litan, a security analyst at Gartner Inc., a technology research group. "The worst thing that I've heard is a processor that had to cough up $1 million."

The move came at least two months after Visa first learned that data had been compromised and just days before its executives, along with those of other major card companies, have been called to testify in Washington about their security practices. The chief executive of CardSystems, John M. Perry, is also expected to testify on Thursday.

In a statement released yesterday, CardSystems said Visa's decision was unexpected and upsetting. "We are disappointed and very surprised that Visa has decided to take this action today, not only because of the impact that it will have on our employees, but the disruption that it will cause to our 110,000 merchant customers," the processor said in a statement. "We hope that Visa will reconsider."

Visa has given at least 11 banks, which hired CardSystems to handle the merchant transactions, until the end of October to change processors, the memo said. Until then, CardSystems will be allowed to process Visa transactions as long as it has corrected any problems and allows a Visa-affiliated monitor on site to oversee its operations in Tucson. CardSystems is also banned from handling Visa transactions from its international affiliates or any new merchants, processors or member banks in the United States.

Visa had been weighing the decision for a few weeks but as recently as mid-June said that it was working with CardSystems to correct the problem. CardSystems hired an outside security assessor this month to review its policies and practices, and it promised to make any necessary upgrades by the end of August. CardSystems, in its statement yesterday, said the company's executives had been "in almost daily contact" with Visa since the problems were discovered in May.

Visa, however, said that despite "some remediation efforts" since the incident was reported, the actions by CardSystems were not enough.

"Visa cannot overlook the significant harm the data compromise and CardSystems' failure to maintain the required security protections has had on member financial institutions and merchants as well as the significant concerns it raised for cardholders," the company said in a statement.

At this point, it is unclear what the other branded card companies will do. MasterCard has previously said that it was giving CardSystems a "limited amount of time to demonstrate compliance with MasterCard security requirements" but never laid out a specific timetable.

Sharon Gamsin, a MasterCard spokeswoman, did not return calls seeking comment. Judy Tenzer, an American Express spokeswoman, said the company did not comment about its relationships with vendors. Leslie Sutton, a Discover Financial spokeswoman, could not offer an immediate response.
Visa's decision is the latest development since the disclosure in mid-June that the CardSystems computer network had been compromised, putting the cardholder names, account numbers and security codes of as many as 40 million credit and debit cardholders at risk for fraud. The information of about 22 million Visa cardholders was exposed; MasterCard reported the data of 14 million of its cardholders was potentially at risk; and the rest largely belonged to customers of American Express and Discover.

At the time, Mr. Perry of CardSystems acknowledged that the company had been improperly storing data, violating Visa and MasterCard security rules. He said data thieves directly obtained information related to some 200,000 cardholder accounts. The F.B.I and a group of federal banking regulators are now investigating.
In its statement, Visa offered its most scathing indictment of those security violations to date. The chief executive of CardSystem had "stated that the company knowingly retained unmasked magnetic stripe cardholder data, purportedly for 'research purposes,' " Visa said. "Visa's security requirements were adopted precisely for the purpose of protecting cardholder information and guarding against the type of data compromise recently experienced by CardSystems."

In the letter Visa sent to the banks, Mr. Murphy suggested that the data breach occurred as early as August 2004.

By ERIC DASH
The New York Times.

More in Tux Machines

Today in Techrights

Leftovers: OSS

  • Communities of Communities: The Next Era of Open Source Software
    We are now about 20 years into the open source software era. You might think that open source simply means publishing the source code for something useful. While this is correct by definition, the most important component of any open source project is its community and how it works together. Open source projects are not isolated islands. In fact, it’s common for them to depend on each other. As new projects are created, it is also common that members come from related projects to work on something new. Apache Arrow is an example of a new project that worked across many related projects, creating a new community that from the beginning knew it needed to build a community of communities.
  • 9 Open Source Storage Solutions: A Perfect Solution To Store Your Precious Data
    Whatever business nature you have, there must be some precious data which you want to store in a secured place. Finding a right storage solution is always critical for business, especially for small and medium, but what if you get a perfect solution at no cost. There is no doubt that business cant runs without data, but while looking for a solution, you might need to spend a fortune to cover all your storage requirements. Open source tools come as the viable solution where you won’t spend money yet get a suitable solution to store your precious data. And don’t worry we will help you to find one of the best.
  • 15 Open Source Solutions To Setup Your Ecommerce Business
    In the past few years, there is a rapid growth in the online sales. According to a survey, more than 40% people are now shifted to online stores and majorly buying products from their smartphones and tablets. With the expeditious rise in the online marketplace, more business introducing online stores. For the big fishes in the industry, the expenses of setting up an online store is like spending peanuts, but for the small or startups, it appears to be a fortune. The smart move could be open source platforms, to begin with as they are not only free also reliable and scalable. One can set up the online store not only quickly as well as, in future if you want to add some of the functionalities, which are available with only premium, can be done by paying quite a small amount.
  • An Industry First: Teradata Debuts Open Source Kylo to Quickly Build, Manage Data Pipelines
  • MUA++ (or on to thunderbird)
  • OpenSSL Re-Licensing to Apache License v. 2.0

    The OpenSSL project, home of the world’s most popular SSL/TLS and cryptographic toolkit, is changing its license to the Apache License v2.0 (ASL v2). As part of this effort, the OpenSSL team launched a new website and has been working with various corporate collaborators to facilitate the re-licensing process.

Linux Graphics

  • Ubuntu 17.04 Still Hasn't Landed X.Org Server 1.19
    While the Ubuntu 17.04 final release is expected to happen in just over two weeks and the final freeze is quickly approaching, X.Org Server 1.19 has yet to land as anticipated into the Zesty Zapus.
  • NV_fill_rectangle Coming To Gallium3D/Nouveau
    Red Hat developer Lyude Paul is working on OpenGL NV_fill_rectangle support for Gallium3D and the Nouveau driver. Lyude has published a set of six patches for adding GL_NV_fill_rectangle support to Gallium3D and wires it up in the Nouveau NVC0 driver for GM200+ hardware.
  • New Engine Reset Capability Being Worked On For Intel DRM Linux Driver
    Intel's Michael Thierry published the fifth version of these patches on Friday. While there has been GPU reset support within the Intel DRM driver in case of hangs, this new engine-reset support is superior as it can reset a particular engine rather than performing a full GPU reset.
  • Vulkan 1.0.45 Released
    Version 1.0.45 is now the latest version of the Vulkan 1.0 specification.

Development News